Primary

Context

OpenProject SQL Injection Vulnerability in Cost Reporting Module

Vulnerability

Patched

A SQL injection vulnerability has been identified in OpenProject versions prior to 17.2.3. The issue arises in the cost reporting module, where the '=n' operator embeds user input directly into SQL WHERE clauses without proper parameterization. This flaw allows authenticated users with access to cost reports to read or modify any database data.

Impact

Exploitation of this vulnerability allows authenticated users with access to cost reports to read or modify any database data.

Remediation

Users are advised to update to OpenProject version 17.2.3 or later.

Added: Apr 2, 2026, 6:33 PM

Updated: Apr 2, 2026, 6:33 PM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

5.0

exploitability

6.6

remediation

7.7

relevance

5.1

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

5.0

exploitability

6.6

remediation

7.7

relevance

5.1

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenProject SQL Injection Vulnerability in Cost Reporting Module

Vulnerability

Impact

Remediation

Affected Products

OpenProject

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating